苹果 iPhone 曝光重大漏洞，Apple ID 开启双重验证仍被盗刷Apple iPhone has been exposed to a major vulnerability, even with the double verification enabled for Apple ID, it is still susceptible to being hacked and used for fraudulent activities.

 昨日，程序员社区 V2EX 出现了一条热门帖子，用户 airycanon 称自己家人的 iPhone 开启了 Apple ID 双重认证，但仍然被钓鱼骗钱了。

据称，其家人在 App Store 上下载了一个菜谱类 App，采用 Apple ID 授权登录，随后该 App 弹出了一个密码输入框，输入密码后就被骗取了账号信息，且整个过程中没有出现双重认证弹窗。

根据博主 BugOS 技术组 的测试，受信设备中的应用拉起隐藏 WebView 访问 appleid.apple.com 无需双重验证，这一重大漏洞使得用户扫个脸即可登录。该 App 又用假的对话框骗取密码，然后将诈骗者的手机号加入双重认证的信任号码，直接远程抹掉设备，使用户无法接收扣款信息，并进行盗刷。

从整个原理来看，这一方法确实隐蔽且难防，目前尚不清楚苹果何时会修复这一漏洞。博主 BugOS 技术组 表示，当 iPhone 上出现输入 Apple ID 密码的窗口时，按 Home 键或上划手势尝试退出一下，能退出的都是在诈骗。

Yesterday, a popular post appeared on the programmer community V2EX. User airycanon claimed that their family's iPhone had enabled Apple ID two-factor authentication but still fell victim to phishing and lost money.

According to reports, their family downloaded a recipe app from the App Store and logged in with their Apple ID. Afterwards, the app displayed a password input box. Once they entered the password, their account information was stolen without any prompt for two-factor authentication.

Based on tests conducted by BugOS Technical Group, an application running on trusted devices can secretly access appleid.apple.com through a hidden WebView without requiring two-factor verification. This major vulnerability allows users to log in with just face recognition. The deceptive app uses fake dialog boxes to trick users into entering passwords and then adds the scammer's phone number as a trusted number for two-factor authentication. They can remotely wipe the device, preventing users from receiving notifications of unauthorized charges while carrying out fraudulent activities.

From this entire process, it is clear that this method is indeed covert and difficult to defend against. It remains unclear when Apple will fix this vulnerability. BugOS Technical Group advises that when prompted to enter an Apple ID password window on an iPhone, try pressing the Home button or swiping up gesture to exit; any prompts that can be exited are likely scams.